Certificates

From NComputing Knowledge Base
Revision as of 15:58, 11 November 2014 by Jmeister (talk | contribs) (excluded .pem as a possible suffix)

Jump to: navigation, search

An essential part of today's security that is based on HTTPS, SSL, X.509, PKI are certificates. Certificates are small documents that are used to prove that a specific key really belongs to a specific person, avoiding man-in-the-middle-attacks. From a pure system administration point of view, certificates make extra work. The good news however is, that NoTouch supports working with certificates in all - very diverse - areas.

The punchline is: You can upload certificates to individual machines via web browser, and you can have NoTouch Center distribute your certificates to a huge number of machines. These certificates can be used for Network authentication, web browser, the Citrix Receiver, the VMware Horizon View client, the FreeRDP Remote Desktop Protocol client and other services.

In general, certificates need to be in .crt form - textual files (ASCII) that start with "---- BEGIN CERTIFICATE ----". This format is called Base64-encoded DER format. Exceptions to this rule may apply but to be safe always try with a .crt file first.

Adding private or new certificates to NoTouch

NoTouch comes with all standard certificates that are available from the well-known PKI vendors; everything that is current at the time of a particular NoTouch release are included. Most people buying a certificate from such a vendor will never need to add certificates. In these cases, it may be necessary to add your own certificates:

  • You are using private certificates (self-signed or from your own certificate authority)
  • You bought a certificate from a new vendor whose certificates where not yet included in our repository
  • A well-known vendor has issued a new root certificate that was not available at the time this particular NoTouch image was built

Method 1: Upload certificates into a NoTouch machine

This method is good for testing or small installation with just a few machines, or if you plan to do [[Configuration preload|configuration preload].

  1. Point the webbrowser of your normal work PC or Mac to the IP address/hostname of the NoTouch machine
  2. Login with your client admin password
  3. Scroll a bit down to find the "Certificates" menu entry
  4. Upload your certificate files

Method 2: Distribute certificates automatically

This method is good for a large number of machines to avoid repeated tasks:

  1. Place your certificate file on any web server where it is accessible to your NoTouch-powered machines by HTTP or HTTPS. Think of firewalls that could inhibit successful downloads. If there are more files, add them all into a plain ZIP file. If you do not have a web server, you can store files on the Stratodesk Virtual Appliance or, if you don't have the Virtual Appliance, store them with a NoTouch Center installation.
  2. Enter the full URL to the .crt or .zip file into the "Certificates download URL" parameter, like http://myserver.mycompany.com/mycerts.zip - you find this parameter on the client under All->Security->Certificates and under "Administration" parameters in NoTouch Center.

On next reboot, the certificates will be available.

Method 3: Install manually from USB device

It is also possible to fetch certificates from a USB device. This requires a little Linux interaction. If you are not familiar with the command line and basic Linux commands, we suggest using other methods described above.

  1. Open the "Console" from the "Diagnostic" section
  2. Copy the files from /tmp/devshares to /config/certificates. An example command sequence would be:
        cp /tmp/devshares/usb0/*.crt /config/certificates
        sync

Certificate formats and conversion

NoTouch in general supports X.509 certificates in PEM and DER formats - since there are so many different applications in NoTouch ranging from open-source to proprietary third party binaries, it is difficult to make such a general statement though.

User certificate and private key can be included in the same file. If the user certificate and private key is received in PKCS#12/PFX format, they need to be converted to suitable PEM/DER format. This can be done, e.g., with following commands on any machine having OpenSSL installed (Windows, Mac, Linux):

Convert client certificate and private key to PEM format 

    openssl pkcs12 -in example.pfx -out user.crt -clcerts

Convert CA certificate (if included in PFX file) to PEM format 

    openssl pkcs12 -in example.pfx -out ca.crt -cacerts -nokeys

Please consult the OpenSSL documentation for more information.

Using certificates

Having certificates uploaded or deployed means that they are there on the system. Different modules in NoTouch use certificates differently, so please see here for appropriate instructions:

  • Citrix Receiver and VMware Horizon View client use available certificates automatically if needed. No further actions needs to be done
  • Wireless LAN in certain authentication modes can require certificates
  • In Network authentication, be it wired IEEE 802.1X or WiFi WPA/WPA2, certificates need to be selected by appropriate parameters. Please consult the articles about Network authentication. When writing your own wired or wireless authentication configuration with WPASupplicant you may need to have certificates
  • The Firefox web browser automatically uses such certificates in NoTouch 2.35.65 and above. Earlier versions need to manually add security exceptions.
  • General usage. NoTouch places the certificates available in the standard directories where most typical Linux software expects them and can make use of them. That means that other 3rd-party tools not mentioned here will most likely work with these certificates without any extra effort.